Data Privacy (Archive)

The Health Care Application (HCAPP) and other forms collect sensitive information on an individual that is needed to determine eligibility. Individuals can be harmed by the reckless disclosure of information about them, and, accordingly, there are significant penalties under both state and federal laws for government agencies that violate laws designed to protect individuals and groups from such disclosure of information.

This section provides a general overview of data privacy. Refer to the DHS Data Practices Manual for further information.

Data Classifications and Definitions.

Worker Responsibilities.

Data Review.

Worker Assigned to a Relative or Friend.

Privacy Rights of Children.

Penalties for Data Practices Violations.

Top of Page

Data Classifications and Definitions

Government data is presumed to be public unless there is federal law or statute that classifies it as not public data.

Public Data.

Data which can be disclosed to anyone for any purpose, such as names and salaries of agency employees.

Private Data.

Data about individuals which can be disclosed only to the subject of the data or to government entities, employees, and contractors whose work assignments reasonably require access to the data. Much of the data collected and maintained by state and county agencies is private, such as the names of health care program applicants or enrollees. Private data is accessible to the subject of the data or the subject's authorized representative.

Confidential Data.

Data about individuals that even the individuals themselves cannot access, such as information from an investigation about welfare fraud or adoption records. Note, however, that even if the confidential data itself cannot be disclosed to individuals, individuals do retain the right to know whether an agency is maintaining confidential data about them.

Notice of Privacy Practices.

The Notice of Privacy Practices (DHS-3979) is a statement of rights given to people who are asked to provide private or confidential data about themselves. The Notice of Privacy Practices was formerly referred to as ”Tennessen Notice,” ”Practices Rights Statement,” or ”Privacy Act Notice.”

Top of Page

Worker Responsibilities

When you ask people to provide private data or confidential data about themselves, tell them:

l  The purpose and intended use of the requested data.

l  Whether they may refuse or if the law requires them to supply the data.

l  The consequences of supplying or refusing to supply the data.

l  The identity of other agencies or entities authorized to receive the data.

l  What people can do if they believe the information is incorrect or incomplete.

l  How people can see and get copies of the data collected about them.

l  Any other rights they may have regarding the specific type of information collected.

These elements are also known as the Notice of Privacy Practice. The HCAPP, Combined Application Form (CAF), and other DHS forms provide this information. Also include this information on other requests for information you send to the client.

Send private data by fax only if the fax is secure or encrypted, such as the HealthQuest fax. Do not include private data when sending e-mail via the Internet.

Top of Page

Data Review

Clients may review private data which contain information about them.

l  Only the information classified as private or public is available for review.

l  Private or public data must be shown to the subject of the data if requested.

Honor requests for review as soon as possible, but no later than five days following the request.

l  Do not count weekends and holidays in the five-day period.

l  When the county or state agency tells the client during the initial five days that it needs more time, it may take an additional five days.

l  The county or state agency may set the place and time of review.

Data about two or more people are maintained in a common file because of family relationships, and are joint records. In joint records, delete material about the person not requesting the review to protect that person's privacy.

Provide copies of original documents when requested by the subject of the data or the subject's authorized representative. Provide one free copy of a document and additional copies at the cost of reproduction. See the DHS Data Practices Manual for further information about these costs.

Top of Page

Worker Assigned to a Relative or Friend

Follow your agency’s procedures if you are assigned an application or active record of a relative or close friend. Many agencies prefer to reassign these cases when possible for the protection of all parties. If your agency does not reassign the case:

l  Be sure to protect the person’s privacy rights.

l  Do not discuss the case with the person outside of normal business hours.

l  Afford the person the same treatment as all other clients.

Top of Page

Privacy Rights of Children

Parents may see information about children under age 18 and allow others to see this information, unless either of the conditions below is met:

l  The child has requested that this information not be shared with their parents.

n  This request must be in writing and must state what information the child wants withheld and why.

n  If the agency agrees that sharing the information is not in the child's best interest, the information will not be shared with the child's parents.

l  It involved medical treatment for which parental consent was not required, such as pregnancy, sexually transmitted diseases, and chemical dependency.

Note:  If the health care provider believes failing to share the information would jeopardize the child’s health, the information may be shown to the parents.

For more information about what information may or may not be shared about children under age 18, see ”Minors” in the DHS Data Practices Manual.

Top of Page

Penalties for Data Practices Violations

Minnesota law authorizes lawsuits for data practices violations:

l  To seek damages resulting from violations of the Government Data Practices Act.

l  To prohibit the agency from conduct allegedly in violation of the statute.

l  To compel the agency to comply with the provisions of the statute.

Any public employee who willfully violates the provisions of the Act is guilty of a misdemeanor.

Willful violation of the statute by a public employee is just cause for dismissal or suspension without pay. The law also provides that in cases of willful violation a political subdivision, statewide system or state agency may be liable for punitive damages of $100 to $10,000 for each violation.

A person who wins a lawsuit alleging losses as a result of violation of the data practices act may be awarded compensation for the loss and for costs of the lawsuit and reasonable attorney fees.

Top of Page